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© Key distribution method. 



© The invention relates to a method of distributing 
a key for enciphering un unenciphered or plaintext 
message and for deciphering the enciphered mes- 



The method comprises the following steps: 
generating a first random number in a first system 
(101); generating first key distribution information in 
the first system (101) by appiying a predetermined 
first transformation to the first random number on the 
basis of first secret information known only by the 
first system (101); transmitting the first key distribu- 
tion information to a second system (102) via a 
communication channel (103); receiving the first key 
distribution information in the second system (102); 
generating a second random number in the second 
system (102); generating second key distribution in- 
formation by applying the predetermined first trans- 

3 formation to the second random number on the 
basis of second secret information known only by 
m the second system (102); transmitting the second 

09 key distribution information to the first system (101) 

10 via the channel (103); receiving the second key 
^distribution information in the first system (101); and 
If) generating an enciphering key in the first system 
CM (101) by applying a predetermined second trans- 
formation to the second key distribution information 

on the basis of the first random number and iden- 
"jtification information of the second system (102) 
which is not secret 
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KEY DISTRIBUTION METHOD 



BACKGROUND OF THE INVENTION 

The invention relates to a method of distribut- 
ing a key for enciphering an unenctphered or plain- 
text message and for deciphering the enciphered 
message. 

A public key distribution method used in a 
public key cryptosystem as a well-known key dis- 
tribution method is disclosed in a paper entitled 
"New Directions in Cryptography" by W. Diffie and 
M.E. Hellman, published in the IEEE Transactions 
on Information Theory, Vol. IT-22, No. 6, pp. 644 to 
654, November issue, 1976. The key distribution 
method disclosed in the paper memorizes public 
information for each of conversers. In the system, 
before a converser A sends an enciphered mes- 
sage to a converser B, the converser A prepares 
an enciphering key (which represents a number 
obtained by calculating Y B * A (mod g )) gen- 
erated from public information Y B of the converser 
B and secret information X A which is kept secret 
by the converser A. The number g is a large prime 
number of about 256 bits in binary representation, 
which is publicly known, a (mod b) means a 
remainder of division of the number a by the num- 
ber b. The converser B also prepares the key wk in 
accordance to Y A x a (mod g) in a similar man- 
ner. Y A and Y B are selected so as to be equal to 
o*a (mod £) and a*e> (mod g), respec- 
tively. As a result, Y B X A (mod g ) becomes 
equal to Y A X 6 (mod g). It is known that even if 
Y A , a and g are known, it is infeasible for anybody 
except the converser A to obtain X A which satisfies 
Y A b a x A (mod g). 

The prior art key distribution system of the 
type described, however, has disadvantages in that 
since the system needs a large amount of public 
information corresponding to respective convers- 
ers, the amount of the public information increases 
as the number of conversers increases. Further, 
strict control of such information becomes neces- 
sary to prevent the information from being tam- 
pered. 



SUMMARY OF THE INVENTION 

An object of the invention is, therefore, to pro- 
vide a key distribution method free from the above- 
mentioned disadvantages of the prior art system. 

According to an aspect of the invention, there 
is provided a method which comprises the follow- 
ing steps: generating a first random number in a 
first system; generating first key distribution in- 



formation in the first system by applying a pre- 
determined first transformation to the first random 
number on the basis of first secret information 
known only by the first system; transmitting the 
s first key distribution information to a second sys- 
tem via a communication channel; receiving the 
first key distribution Information in the second sys- 
tem; generating a second random number in the 
second system; generating second key distribution 

io information by applying the predetermined first 
transformation to the second random number on 
the basis of second secret information known only 
by the second system; transmitting the second key 
distribution information to the first system via the 

75 channel; receiving the second key distribution in- 
formation in the first system; and generating an 
enciphering key in the first system by applying a 
predetermined second transformation to the sec- 
ond key distribution information on the basis of the 

20 first random number and identification information 
of the second system which is not secret 

According to another aspect of the invention, 
there is provided a method which comprises the 
following steps: generating a first random number 

25 in the first system; generating first key distribution 
information by applying a predetermined first trans- 
formation to the first random number on the basis 
of public information in the first system and gen- 
erating first identification information by applying a 

30 predetermined second transformation to the first 
random number on the basis of first secret informa- 
tion known only by the first system; transmitting 
the first key distribution information and the first 
identification information to a second system via a 

35 communication channel; receiving the first key dis- 
tribution information and the first identification in- 
formation in the second system; examining whether 
or not the result obtained by applying a predeter- 
mined third transformation to the first key distribu- 

40 tion information on the basis of the first identifica- 
tion information satisfies a first predetermined con- 
dition, and, if it does not satisfy, suspending key 
distribution processing; generating a second ran- 
dom number if said condition is satisfied in the 

45 preceding step; generating second key distribution 
-information by applying the predetermined first 
transformation to the second random number on 
the basis of the public information, and generating 
second identification information by applying the 

so predetermined second transformation to the sec- 
ond random number on the basis of second secret 
information known only by the second system; 
transmitting the second key distribution information 
and the second identification information to the first 
system via the communication channel; and exam- 
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ining whether or not the result obtained by applying 
a third predetermined transformation to the second 
key distribution information on the basis of the 
second identification information in the first system 
satisfies a predetermined second condition, and if 
the result does not satisfy the second condition, 
suspending the key distribution processing, or if it 
satisfies the second condition, generating an enci- 
phering key by applying a fourth predetermined 
transformation to the first random number on the 
basis of the second key distribution information. 



BRIEF DESCRIPTION OF THE DRAWINGS 

Other features and advantages of the invention 
will become more apparent from the following de- 
tailed description when taken in conjunction with 
the accompanying drawings in which: 

FIG. 1 is a block diagram of a first embodi- 
ment of the invention; 

FIG. 2 is a block diagram of a second em- 
bodiment of the invention; and 

FIG. 3 is a block diagram of an example of 
systems 101, 102, 201 and 202. 

In the drawings, the same reference numerals 
represent the same structural elements. 



PREFERRED EMBODIMENTS 

Referring now to FIG. 1, a first embodiment of 
the invention comprises a first system 101, a sec- 
ond system 102 and an insecure communication 
channel 103 such as a telephone line which trans- 
mits communication signals between the systems 
101 and 102. It is assumed herein that the systems 
101 and 102 are used by users or converters A 
and B, respectively. The user A has or knows a 
secret integer number S A and public integer num- 
bers e, c, a and n which are not necessarily secret 
while the user b" has or knows a secret integer 
number Seand the public integer numbers. These 
integer numbers are designated and distributed in 
advance by a reliable person or organization. The 
method to designate the integer numbers will be 
described later. 

An operation of the embodiment will next be 
described on a case in which the user A starts 
communication. The system 101 of the user A 
generates a random number ^ (Step A1 in FIG. 1) 
and sends a first key distribution code X A repre- 
sentative of a number obtained by computing S A • 
a** (mod n) (Step A2) to the system 102 of the user 
B (step A3). Next, when the system 102 receives 
the code XA(Step B1), it generates a random num- 
ber t (Step B2), calculates (X^/IDa) x (mod n) (Step 
B5), and keeps the resulting number as a encipher- 



ing key wk for enciphering a message into storage 
means (not shown). The identification code ID A 
represents herein a number obtained by consider- 
ing as a numeric value a code obtained by encod- 

5 ing the address, the name and so on of the user A. 
The encoding is, for instance, performed on the 
basis of tiie American National Standard Code for 
Information Interchange. Then, the system 102 
transmits to the system 101 of the user A a second 

io key distribution code Xb representative of a num- 
ber obtained by calculating Sb •a 1 (mod n ) (Steps 
B3 and B4). 

The system 101, on the other hand, receives 
the code Xb (Step A4), calculates (Xb b /IDb) 7 (mod 

75 n) (Step A5), and keeps the resulting number as 
the key wk for enciphering a message. The iderv 
tification code IDb represents the numbers obtained 
by considering as a numeric value a code obtained 
by encoding the name, address, and so on of the 

20 user B. 

Subsequently, communication between the us- 
ers A and B will be conducted by transmitting 
messages enciphered with the enciphering key wk 
via the channel 103. 

25 The integer numbers S A| S Bl e, c, a and n are 
determined as follows, n is assumed to"be a prod- 
uct of two sufficiently large prime numbers g and 
g. For instance, £ and g may be 2 s58 or so. e and c 
are prime numbers which are equal to or less than 

30 n, while a is a positive integer number which is 
equal to or less than n. Further, d is defined as an 
integer number which satisfies e.d (mod (p-1)»(q- 
1)) = 1. S A and S B are defined as numbers 
obtainable from ID A d (mod n) and ID B d (mod n), 

35 respectively. 

If S A , S B , e, c, a, and n are defined as above, 
ID A and ID B become equal to S A e (mod n) and 
S B e (mod n), respectively. This can be proved from 
a paper entitled "A Method for Obtaining Digital 

40 Signatures and Pubiick-Key Cryptosy stems" by 
R.L Rivest et al., published in the Communication 
of the ACM, Vol. 21, No. 2, pp. 120 to 126. Since 
the key obtained by (XB B /ID B ) r (mod n) on the side 
of the user A becomes equal to a" 1 (mod n) and 

45 the key obtained by (X^/ID/O 1 (mod n ) on the side 
of the user B becomes equal to o^mod n), they 
can prepare the same enciphering key. Even if a 
third party tries to assume the identity of the user 
A, he cannot prepare the key wk since he cannot 

so find out z which meets ID A = Z 8 (mod n). 

Referring now to FIG. 2, a second embodiment 
of the invention comprises a first system 201, a 
second system 202 and an insecure communica- 
tion channel 203. It is assumed herein that the 

55 systems 201 and 202 are used by users A and B, 
respectively. The user A has or knows a secret 
integer number S A and public integer numbers e, 
c. a, and n, which are not necessarily secret white 



3 



0 257 585 



the user B has or knows a secret integer number 
S B and the public integer numbers. These integer 
numbers are designated and distributed by a reli- 
able person or organization in advance. The meth- 
od to designate the integer numbers will be de- 5 
scribed later. 

An operation of the embodiment will next be 
described on a case where the user A starts com- 
munication. The system 201 of the user A gen- 
erates a random number 2 (Step AA1 in FIG. 2) 10 
and determines a first key distribution code X* 
representative of a number obtained by computing 
a" (mod n) as well as a first identification code 
Vindicative of a number obtained by computing 
S A •a c * r (mod n) (AA2). The system 201 then trans- is 
mrts a first pair of X A and Y A to the system 202 of 
the user B (Step AA3). Thereafter, the system 202 
receives the first pair (X* , Ya) (Step BB1), cal- 
culates Y A e /X A C (mod n, and examines whether or 
not the number obtained by the calculation is iden- 20 
ticai to the number indicated by an identification 
code 1D A obtained by the address, the name and 
so on of the user A in a similar manner to in the 
first embodiment (Step BB2). If they are not iden- 
tical to each other, the system suspends process- 25 
ing of the key distribution (Step BB7). On the other 
hand, if they are identical to each other, the system 
202 generates a random number t (Step BB3) and 
determines a second key distribution code X B 
representative of a number obtained by calculating 30 
a e t (mod n) and a second identification code Y B 
obtained by calculating S B •a c4 (mod n) (Step 
BB4). The system 202 then transmits a second pair 
of X B and Y B to the system 201 of the user A (Step 
BB5). The system 202 calculates X A * (mod n) and 35 
keeps the number thus obtained as a enciphering 
key wk (Step BB6). 

The system 201, on the other hand, receives 
the second pair (X B , Y B ) (Step AA4), calculates Y 
B e yXs c (mod n), and examines whether or not the 40 
number thus obtained is identical to the number 
indicated by an identification code !D B obtained by 
the address, the name and so on of the user B in a 
similar manner to in the first embodiment (Step 
AA5). If they are not identical to each other, the 45 
system suspends the key distribution processing 
(Step AA7). If they are identical to each other, the 
system 201 calculates Xe r mod n), and stores the 
number thus obtained as a enciphering key wk 
(Step AA6). Although the codes ID A and JD B are so 
widely known, they may be informed by the user A 
to the user B. 

The integer numbers S Al S Bl e, c, a and n are 
determined in the same manner as in the first 
embodiment As a result, ID A and IO B becomes 55 
equal to Y A e /X A ° (mod n) (= S^ ma^/a^ (mod n)) 
and Y B e /X B c (mod n) f= S| •a Btc /a etc (mod n )), 
respectively. If we presuppose that the above-men- 



tioned reliable person or organization who prepared 
S A and S B do not act illegally, since S A is pos- 
sessed only by the user A while Sb is possessed 
only by the user B, the first pair (x A , y^ which 
satisfies y A e & A C (mod n) = ID A can be prepared 
only by the user A while the second pair (x B , y B ) 
which satisfies y B e /x B c (mod n) = ID B can be pre- 
pared only by the user B. it is impossible to find 
out a number x which satisfies x f (mod n) = b on 
the basis of f, band n since finding out X is 
equivalent to breaking the RSA public key cryp- 
togram system disclosed in the above-mentioned 
the Communication of the ACM. It is described in 
the above-referenced IEEE Transactions on Infor- 
mation Theory that the key wk cannot be cal- 
culated from the codes x A or x B and n. The key 
distribution may be implemented similarly by mak- 
ing the integer number C variable and sending it 
from a user to another. 

An example of the systems 101, 102, 201 and 
202 to be used in the first and second embodi- 
ments will next be described referring to FIG. 3. 

Referring now to RG. 3, a system comprises a 
terminal unit (TMU) 301 such as a personal com- 
puter equipped with communication processing 
functions, a read only memory unit (ROM) 302, a 
random access memory unit (RAM) 303, a random 
number generator (RNG) 304, a signal processor 
(SP) 306, and a common bus 305 which intercon- 
nects the TMU 301, the ROM 302, the RAM 303, 
the RNG 304 and the SP 306. 

The RNG 304 may be a key source 25 dis- 
closed in U.S. Patent No. 4,200,700. The SP 306 
may be a processor available from CYLINK Cor- 
poration under the trade name CY 1024 KEY MAN- 
AGEMENT PROCESSOR. 

The RNG 304 generates random numbers r or 
t by a command given from the SP 306. The ROM 
407 stores the public integer numbers e , c, o, n 
and the secret integer number S A (if the~ROM 407 
is used in the system 101 or 201) or the secret 
integer number S B (rf the ROM 407 is used in the 
system 102 or 202). The numbers S A and S B may 
be stored in the RAM 303 from the TMU 301 
everytime users communicates. According to a 
program stored in the ROM 407, the SP 306 ex- 
ecutes the above-mentioned steps A2, A5, AA2, 
AA5, AA6 and AA7 (if the SP 306 is used in the 
system 101 or 201), or the steps B3, B5, BB2, 
BB4, BB6 and BB7 (if the SP 306 is used in the 
system 102 or 202). The RAM 303 is used to 
temporarily store calculation results in these steps. 

Each of the systems 101, 102, 201 and 202 
may be a data processing unit such as a general 
purpose computer and an IC (integrated circuit) 
card. 



7 



0 257 585 



8 



As described in detail hereinabove, this inven- 
tion enables users to effectively implement key 
distribution simply with a secret piece of informa- 
tion and several public pieces of information. 

While this invention has thus been described in 
conjunction with the preferred embodiments there- 
of, it will now readily be possible for those skilled in 
the art to put this invention into practice in various 
other manners. 



Claims 

1. A key distribution method comprising the 
following steps: 

a) generating a first random number in a first 
system; 

b) generating first key distribution informa- 
tion in said first system by applying a predeter- 
mined first transformation to said first random num- 
ber on the basis of first secret information known 
only by said first system; 

c) transmitting said first key distribution in- 
formation to a second system via a communication 
channel; 

d) receiving said first key distribution in- 
formation in said second system; 

e) generating a second random number in 
said second system; 

f) generating second key distribution infor- 
mation by applying said predetermined first trans- 
formation to said second random number on the 
basis of second secret information known only by 
said second system; 

g) transmitting said second key distribution 
information to said first system via said channel; 

h) receiving said second key distribution in- 
formation in said first system; and 

i) generating an enciphering key in said first 
system by applying a predetermined second trans- 
formation to said second key distribution informa- 
tion on the basis of said first random number and 
identification information of said second system 
which is not secret 

2. A key distribution method as claimed in 
Claim 1, in which said first system includes first 
data processing means for executing said steps a), 
b) and i), and first communication processing 
means for executing said steps c) and h). 

3. A key distribution method as claimed in 
Claim 1 or 2, in which said second system includes 
second data processing means for executing said 
steps e) and 0. and second communication pro- 
cessing means for executing said steps d) and g). 

4. A key distribution method comprising the 
following steps: 

a) generating a first random number in a first 
system; 



b) generating first key distribution informa- 
tion in said first system by applying a predeter- 
mined first transformation to said first random num- 
ber on the basis of public information and generat- 

5 ing first identification information by applying a 
predetermined second transformation to said first 
random number on the basis of first secret informa- 
tion known only by said first system; 

c) transmitting said first key distribution in- 
to formation and said first identification information to 

a second system via a communication channel; 

d) receiving said first key distribution in- 
formation and said first identification information in 
said second system; 

is e) examining whether or not the result ob- 

tained by applying a predetermined third trans- 
formation to said first key distribution information 
on the basis of said first identification information 
satisfies a predetermined first condition and, if it 

20 does not satisfy, suspending key distribution pro- 
cessing; 

f) generating a second random number if 
said first condition is satisfied at said step e); 

g) generating second key distribution infor- 
25 mation by applying said predetermined first trans- 
formation to said second random number on the 
basis of said public information, and generating 
second identification information by applying said 
predetermined second transformation to said sec- 

30 ond random number on the basis of second secret 
information known only by said second system; 

h) transmitting said second key distribution 
information and said second identification informa- 
tion to said first system via said communication 

35 channel; and 

i) examining in said first system whether or 
not the result obtained by applying a predeter- 
mined third transformation to said second key dis- 
tribution information on the basis of said second 

40 identification information satisfies a predetermined 
second condition and, if the result does not satisfy 
said second condition, suspending said key dis- 
tribution processing or, if it satisfies said second 
condition, generating said enciphering key by ap- 

<5 plying a predetermined fourth transformation to 
said first random number on the basis of said 
second key distribution information. 

5. A key distribution method as claimed in 
Claim 4, in which said first system includes first 

so data processing means for executing said steps a), 
b) and i), and first communication processing 
means for executing said step c). 

6. A key distribution method as claimed in 
Claim 4 or 5, in which said second system includes 

55 second data processing means for executing said 
steps e), f) and g), and second communication 
processing means for executing said steps d) and 
h). 
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